Exploring access to genomic risk information and the contours of the HIPAA public health exception

Abstract Considerable resources have been invested in research to identify pathogenic and likely pathogenic variants that cause morbidity and mortality and also in returning these results to patients. The public health impact and cost-effectiveness of these efforts are maximized when probands’ relatives are informed of their risk and offered testing. However, such ‘Traceback’ cascade testing programs face multiple obstacles, including perceived or actual legal and regulatory hurdles. Here, using genetic cancer syndromes as a test case, we explore the contours of the Public Health Exception to the HIPAA Privacy Rule to assess whether it is a viable pathway for implementing a Traceback program. After examining the Privacy Rule as well as state laws and regulations for reportable conditions and genetic privacy, we conclude that this is not currently a viable approach for Traceback programs. We conclude by reflecting on ethical considerations of leveraging HIPAA’s public health exception to disclose PHI directly to at-risk relatives and offering insights for how legal hurdles to such a Traceback program could be overcome, if desired.


I. INTRODUCTION
Improving access to genomic risk information has been a growing priority over the past 20 years, with efforts advancing in both medicine and public health domains and the emergence of 'precision medicine' 1 and 'precision public health.' 2 The population health impact and cost-effectiveness of these programs are premised on 'Traceback' cascade testing, in which at-risk first-degree relatives of probands (patients with a pathogenic or likely pathogenic variant) are notified of their risk and invited for genetic testing themselves. 3 However, genetic counselors have expressed frustration with low uptake of Traceback testing. One barrier to uptake is that Traceback programs traditionally run through the proband; that is, the proband is encouraged to communicate their relatives' risk and testing recommendation to them. But probands do not always appreciate the importance of communicating familial risks to relatives promptly, are sometimes apprehensive about having such conversations with their relatives on their own, and are sometimes simply unwilling (for a variety of reasons) to share their genetic risk information with others.
Yet genetic counselors have reported uncertainty about whether and how they may communicate genetic risk information directly to at-risk relatives. A particularly acute example of this general problem is Traceback screening for ovarian cancer-a condition for which germline mutations in BRCA1 and BRCA2 are known to increase one's risk and for which multiple current clinical guidelines recommend genetic testing. 4 Unfortunately, ovarian cancer is often detected too late to effectively treat. This means both that genetic testing of at-risk relatives is critical to support early intervention and that probands often die before Traceback testing can be broached, adding to the list of reasons above why an approach to cascade testing that runs through the proband is problematic.
Scholars have recently clarified the ability of healthcare providers to facilitate expanded access to genomic risk information by assisting the communication of familial risks between a proband and the proband's relatives; directly contacting atrisk relatives with the proband's authorization; or contacting the healthcare provider of the proband's relatives. 5 The Health Insurance Portability and Accountability Act 6 (HIPAA) Privacy Rule, 7 which sets a federal floor of privacy protections for patients' health information 8 and usually preempts conflicting state law, 9 generally allows for protected health information (PHI) to be accessed and used 'to carry out treatment, payment, or health care operations' without any specific prior authorization from patients to do so. 10   'treatment' 12 purposes can involve not only the treatment of that one specific patient but also other patients (such as at-risk family members to facilitate cascade genetic screening). Some scholars therefore have interpreted the HIPAA Privacy Rule as permitting limited forms of a Traceback program. Specifically, they conclude that HIPAA permits providers to disclose a proband's PHI either directly to at-risk relatives of the proband (with the patient proband's authorization) or indirectly to another healthcare provider who is treating the at-risk relative (without the proband's authorization) . 13 An open question, however, is whether HIPAA permits providers to directly contact at-risk relatives without the proband's authorization. Prior scholarship has dismissed this possibility without closely scrutinizing the relevant text of the HIPAA Privacy Rule that might be most useful for advancing precision public health by allowing direct contact of at-risk relatives even in instances in which no proband authorization is available: the Public Health Exception (PHE) to the HIPAA Privacy Rule. Here, we explore the contours of the PHE as it might relate to Traceback programs, using genetic cancer syndromes as a test case.

II. THE HIPAA PRIVACY RULE'S PUBLIC HEALTH EXCEPTION (PHE)
The HIPAA Privacy Rule contains a PHE allowing healthcare providers to 'use or disclose protected health information for public health activities and purposes' without having to seek the specific patient's permission. 14 The exception enumerates to whom healthcare providers may share such information, specifically allowing the disclosures to [a] public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . 15 or directly to [a] person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation . . . 16 Given the aforementioned text, the HIPAA PHE theoretically would enable healthcare providers (such as genetic counselors) to overcome hurdles in the cascade testing process and either (i) disclose to a 'public health authority' that is in turn 'authorized by law' to disclose to relatives or (ii) disclose directly to at-risk relatives as an employee of a covered entity 'authorized by law' to do so as part of 'a public health intervention 12 45 C.F.R. 164.501 (defining treatment as 'the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.'). 13 See Scenarios 3 and 6 in Table 1  or investigation'-in either case, even when the patient-proband is recently deceased 17 and unable to give consent 18 ; is not reachable for whatever reason; or holds steadfast genetic privacy preferences and objects to the disclosure of the information to their at-risk relatives.
Although HIPAA defines 'public health authority' as an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate, 19 there has been some regulatory confusion-magnified by the COVID-19 pandemicas to what constitutes public health activities (as opposed to public health research) and which persons or entities may lawfully carry out such public health activities. 20 The conceptualization of a 'public health authority' is irrefutably broad; 21 however, public health surveillance activities are expressly defined as non-research and therefore excluded from research regulatory oversight, 22 although it is perhaps intended to be narrowly construed. 23 Although public health research is not the focus of this exploration of the feasibility of a Traceback program for genetic cancer syndromes and how 'public health authority' is interpreted there does not necessarily compel us to adopt the same interpretation under the HIPAA Privacy Rule, a brief look at recent discussions is illuminating. In late July 2020, the Secretary's Advisory Council on Human Research Protections (SACHRP) weighed in on the interpretation of 'public health authority' and 'public health surveillance activities' within the context of the 2018 Common Rule Requirements 24 for research involving human participants and offered the Office of Human Research Protections some recommendations. 25 SACHRP generally recommended a narrow interpretation and application of the public health exclusion from the research regulations, explaining that public trust could be eroded and discouraging broad application 'outside of a public health emergency' context. 26 SACHRP expressed its expert opinion that a person or entity (including private companies, academic institutions, or others) may be considered a 'public health authority' for research regulatory purposes 27 but emphasized the importance of that person or entity acting pursuant to a documented delegation of legal authority (based in governmental statutes or regulations and memorialized by a document such as a memorandum of understanding (MOU), contract, purchase order, or letter that carefully defines the activity) by the public health authority to act on its behalf. 28 SACHRP further indicated that public health surveillance activities may be 'passive' or 'active' (such as the notifiable disease reporting system or the Active Bacterial Core System, respectively). 29 To determine whether a project is a public health surveillance activity that is excluded from the 2018 Common Rule Requirements, SACHRP indicated the following questions must be answered affirmatively: (a) 'Is the project conducted, supported, requested, ordered, required, or authorized by a public health authority?'; (b) 'Does the project involve public health surveillance activities, including the collection and testing of information or biospecimens?'; (c) 'Does the project involve only public health surveillance activities?;' and (d) ' Are the public health surveillance activities limited to those necessary to allow a public health authority to identify, monitor, assess, or investigate public health signals, onsets of disease outbreaks, or conditions of public health importance (including trends, signals, risk factors, patterns in diseases, or increases in injuries from using consumer products)?' 30 This emphasized scrutiny of the nexus or partnership between biomedical professionals and public health authorities discussed in the context of research regulations is relevant to our exploration of whether the HIPAA PHE is viable for a Traceback program. Whether the conditions of the HIPAA PHE at 45 C.F.R. 164.512(b)(i) and 45 C.F.R. 164.512(b)(iv) would be satisfied and thus enable direct disclosure of genetic risk information to a proband's at-risk relatives for carrying out a Traceback program for genetic cancer syndromes requires a finding that the disclosure is a 'necessary' part of a 'public health intervention or investigation' as well as 'authorized by law,' and evidence for such a finding theoretically would include similar documentation (e.g., memoranda of understanding) between the healthcare providers and public health authority. What does the HIPAA PHE's reference to 'authorized by law' mean? Where would genetic counselors or other genomic medicine professionals look if they are curious about whether they may lawfully communicate genetic risk information directly to a proband's relative who might be at risk of developing a genetic disease or condition and who might be at risk of passing along (i.e., 'spreading') a genetic disease or condition to others (namely, the next generation)? Does the HIPAA PHE's language indicating that direct disclosures be to those individuals who 'may otherwise be at risk of contracting or spreading a disease or condition' encompass heritable risks of genetic conditions such as breast and ovarian cancers?
In addition to examining the text of the PHE to the HIPAA Privacy Rule, some might also look to legislative or regulatory history for reassurance that applying the PHE to genomic conditions would not clearly run counter to policymakers' intent. When HIPAA was enacted in 1996, Congress included a provision in the statute that required DHHS to promulgate a privacy rule if Congress itself was unable to pass health information privacy legislation before August 1999. Congress did not meet this self-imposed deadline, and DHHS proceeded accordingly. A proposed rule was announced in November 1999, 31 and DHHS considered > 50,000 public comments before issuing its final rule 1 year later. 32 In its final rule, DHHS referred to 'genetic' or 'hereditary information' dozens of times, devoted a section to ' Advances in Genetic Sciences,' 33 and specifically considered privacy matters related to possible disclosures of 'genetic and hereditary information [of deceased individuals] on living individuals' 34 and the relevance of 'information about illnesses with a genetic component' for the treatment of others. 35 Yet although DHHS therefore clearly anticipated the applicability of HIPAA to genetic information, it rejected characterizations of the PHE as 'an inappropriately broad loophole' 36 and suggestions that the Privacy Rule should impose limits on public health functions, explaining that the PHE was kept sufficiently narrow by Congress, given that such activities must be 'established by law.' 37 Although DHHS clarified the Privacy Rule by adding a definition of what is 'required by law,' 38 it did not add a new definition for either 'established by law' or 'authorized by law.' Moreover, DHHS explicitly declined 'to distinguish between disclosure of information about communicable diseases and disclosure of genetic information' in 'allow [ Nor, when DHHS has had opportunity to modify the HIPAA Privacy Rule, has it taken action to narrow the PHE or single out genetic information for exceptional treatment. For example, in 2002, when DHHS considered modifications to the PHE specifically, 40 the agency did not revisit the provision allowing for disclosures directly to at-risk individuals. 41 More than a decade later with promulgation of the Omnibus Rule 42 to modify the Privacy Rule to implement the HITECH Act 43 and GINA, 44 there is no documentation to support the notion that policymakers distinguished between horizontal and vertical transmissions of conditions or were interested in modifying the rule to preclude genetic risk information from being disclosed under the PHE if such disclosures were otherwise authorized by law. In fact, although '[o]ne commenter was opposed to the public health exception altogether, stating that it is a privacy loophole that eliminates consumer control over their protected health information,' 45 DHHS actually added a new provision to the PHE that allowed disclosures of student immunization to schools. 46 As our examination of the text and legislative/regulatory history reveals, the HIPAA PHE works in a permissive way, allowing but not obligating healthcare professionals to make disclosures. However, unlike other exceptions to the HIPAA Privacy Rule that hinge on whether disclosures are 'required by law,' the HIPAA PHE hinges on whether the notification has been 'authorized' by law as part of a 'public health intervention or investigation' (a conditional threshold that could be met if a public health law permits but does not mandate such disclosures to occur). Thus, the HIPAA Privacy Rule might be a viable permissive pathway for implementation of Traceback programs if distinct laws authorize notification for the genetic conditions as part of public health activities.

III. APPLICABILITY OF THE HIPAA PHE TO GENOMICS
Public health activities typically are a function of specific state and local-not federallaws for reportable conditions, and these regulatory frameworks impose information disclosure requirements on healthcare providers to state or local health departments. As a result, the specific conditions for which a healthcare provider might be authorized to disclose as reportable health condition and corresponding information could vary from one jurisdiction to another. At a national level, public health surveillance is performed through the Centers for Disease Control through its reliance on the National Notifiable Diseases Surveillance System (or NNDSS), with the Council of 40 47 Efforts to deploy genomics as a public health initiative have been underway for decades. 48 Pilot programs (such as one deployed in Michigan 2003-2008) 49 have explored integration of genomic information for prevention of chronic diseases (such as diabetes, asthma, and heart disease) and also have explored whether public health genomics (for conditions such as sudden cardiac death and cancer) could be successfully implemented if public health authorities were to collect more detailed family history data (such as through the Behavioral Risk Factor Surveillance System, BRAFSS, surveys) 50 or directly employ genetic counselors to carry out genetic screening. 51 Although these pilot programs have highlighted the potential benefits of healthcare providers and public health authorities collaborating more closely in these efforts (including specifically for hereditary cancer surveillance 52 ), they also identified considerable obstacles that have likely not been abated (e.g., lack of financial resources not only to support competitive salaries to recruit and retain adequate genetic counseling expertise to implement a public health genomic program but also to cover associated costs to individuals who are uninsured, under-insured, or receiving Medicaid). 53 To our knowledge, however, there has not been a recent or systematic examination as to whether specific genetic conditions are already present on reportable or notifiable conditions lists to be leveraged in this manner, and both scholars and practitioners report that they are unaware of how such a process might work.
To explore the feasibility of a genetic Traceback program relying upon HIPAA PHE authorizations, we conducted a 50-state survey 54 to cross-check whether genetic conditions were already present on the state reportable conditions lists and the NNDSS list. To do so, we used two distinct general public-facing lists to identify which conditions would be considered 'genetic': a list posted prominently on the National Human Genome Research Institute (NHGRI) website 55 and the conditions included in the Genetic Home Reference (GHR), a resource that is now part of MedlinePlus. 56 The former can be considered to be a conservative list and the latter a more liberal list of genetic conditions. We first checked the NNDSS list to see if those conditions appearing on the NHGRI or GHR lists were nationally notifiable. 57 Subsequently, we checked whether the conditions appearing on each state's reportable conditions list were considered to be a genetic condition as per the NHGRI or GHR lists. 58 The NNDSS list was found to include two conditions appearing on the NHGRI list (i.e., cancer and Kawasaki syndrome) and six conditions appearing on the GHR list as genetic (i.e., cancer, encephalitis, Hansen's disease or Leprosy, hemolytic uremic syndrome or HUS, Kawasaki syndrome, and Lyme's disease). As shown in Table 1a, eight conditions that are listed on the NHGRI website as being a genetic condition were observed on one or more state reportable conditions lists: Cancer (including breast cancer, colon cancer, prostate cancer, and skin cancer), Biotinidase deficiency, Congenital hypothyroidism, Galactosemia, Maple syrup urine disease, Phenylketonuria, Sickle Cell Disease (newborns), and Hemophilia. As shown in    Revisiting the text of the HIPAA PHE that permits disclosure to those individuals who might 'otherwise be at risk of contracting or spreading a disease or condition,' the appearance of genetic conditions on state reportable conditions lists arguably supports the interpretation that this exception should generally permit direct contact of healthcare providers for purposes of a cascade testing screening program, at least for those specific conditions and, by analogy, lend support for expanding the interpretation to encompass other genetic conditions important for public health. However, a counterargument is that the conditions listed (such as Leprosy or Lyme's disease) were included without regard to genetic risk factors or heritability but, rather, due to infectiousness or known pathways for transmission to others (including shared environmental exposures). In addition, there are states in which cases of cancer are reportable by healthcare providers to a cancer registry but disclosures of information to other individuals (including for purposes of disease prevention of at-risk relatives) are not permissible under the current regulatory framework for the registry.
Even if one were to conclude that a healthcare provider is 'authorized by law' to disclose for a particular reportable or notifiable condition, this does not end the inquiry for whether a Traceback program is feasible. Because the HIPAA Privacy Rule sets a protective floor and not a ceiling for health information privacy, such disclosures made directly to at-risk relatives might nevertheless be precluded by more specific, privacypreserving laws, such as state health information privacy laws that are more protective than HIPAA, as well as genetic information privacy statutes. 59 To examine this issue, a 50-state survey was performed to update the information regarding genetic information privacy laws reported by Prince (2013). 60 The genetic privacy laws referenced for each state in Prince (2013) were analyzed for currentness and relevance to Traceback programs. Since 2013, many states have revised and/or added general genetic privacy laws. The use of 'generic' privacy laws means the genetic privacy law is not solely pertaining to paternity, insurance, or labor contexts. Table 2 identifies the states that have implemented a genetic privacy law potentially applicable to Traceback programs, healthcare providers, and the extent to which the law allows disclosure to at-risk individuals. As of May 2022, 32 states require authorization from the index patient or proband before any type of disclosure. Only two states, Colorado and Illinois, expressly permit disclosure of disease information to individuals, including at-risk relatives, without permission from the patient. Delaware and Texas allow disclosure to blood relatives without authorization. In the remaining 18 states, there are either no genetic privacy statutes or there are genetic privacy laws that pertain only to inapplicable areas (such as insurance and parentage), and are silent on the topic of disclosure. See Figure 1

IV. DISCUSSION
Our exploration of the PHE to the HIPAA Privacy Rule leads us to conclude that it is not currently a viable approach for Traceback programs. Textual interpretation of the PHE itself is likely to be kept quite narrow (if courts and policymakers apply approaches similar to those used when interpreting other HIPAA Privacy Rule exceptions). 61 A review of the PHE's development suggests that policymakers did intend for public health interventions and investigations to be possible regardless of whether the information involved genetic or other types of health information and also intended for such matters to be settled by the external authorizing laws rather than by HIPAA itself. Any given healthcare system interested in pursuing a Traceback program based on the HIPAA PHE would need to perform extensive due diligence to determine and monitor whether state reportable conditions and information privacy laws governing the care of patients in their system (which could involve several states) allow such disclosures. There are at least three obstacles that would need to be overcome before the PHE is a viable pathway for Traceback programs. Changes to the HIPAA PHE itself are not necessary to make it a viable pathway for Traceback programs, although guidance from DHHS on 45 CFR 164.512(b)(iv) clarifying that disclosure of genetic information if so authorized by state public health law for Traceback programs would not be a HIPAA violation would be welcomed. The first obstacle is clear legislative or regulatory language in state law to authorize public health authorities and healthcare providers to notify at-risk individuals of genetic risk information. This could involve action by the CTSE to add specific genetic conditions to the national notifiable disease list in addition to state legislative action to add specific conditions to each state's reportable disease lists and to delineate specific implementation guidance for the extent of information that is 'necessary' for the precision public health purpose. Reforms of state public health laws to enable Traceback programs for conditions like ovarian cancer would be appropriate on a condition-by-condition basis, but specifications for data minimization to preserve privacy to the extent possible would be critical. The second is reconciling such an authorization with any applicable genetic information privacy laws that might concurrently be in place that impose distinct constraints on uses and disclosures of genetic risk information. Once such 'authorizations by law' are in place, a third obstacle to overcome would be for healthcare providing organizations to issue transparent documentation of the precision public health 'intervention or investigation,' including the extent to which the healthcare providers are acting independently or as partners with public health authorities.
Of course, whether to expand the HIPAA PHE to include genetic conditions for Traceback programs or alternatively to reform state public health laws to authorize use of the HIPAA PHE for Traceback programs for specific genetic conditions is a question not of law, but of ethics and public policy. 62 When initiating this research, we had three distinct use cases in mind for a possible cancer Traceback program: (i) when a proband has died before the genetic information for the proband's cancer was available (not uncommon for hard-to-detect, aggressive cancers like ovarian cancer); 63 (ii) when a proband's whereabouts are unknown or contact information is not available to provide the proband with an opportunity to authorize or object to a disclosure; and (iii) when a proband has been advised of the importance of notifying at-risk relatives but-for a variety of more or less compelling reasons (e.g., non-paternity versus estrangement)steadfastly refuses to either do so personally or authorize healthcare providers to do so on the proband's behalf. We first offer some considerations for and against using a public health framework for Traceback programs that apply to any scenario, and then offer scenario-specific comments.
Regardless of the fact pattern involved, to some skeptics, ever treating something like a pathogenic BRCA1 variant as a public health issue might sound like a cate-62 It is also a matter of organizational risk tolerance. Even in jurisdictions where it appears to be permissible, it would not be required and healthcare organizations would likely differ in their willingness to launch a Traceback program. Leadership of healthcare organizations differ in their attitudes toward preventable cancer-related deaths and their associated costs, as well as their tolerance for legal and public relations risks. Different fact patterns-ranging from disclosure of information of a deceased proband unable to provide authorization to disclosure of information of a living proband over their objections-could influence their risk assessments. 63 See, e.g., D. R. Gordon & B. A. Koenig, 'If relatives inherited the gene, they should inherit the data. ' Bringing the Family into the Room Where Bioethics Happens, 41 New Genet. Soc. 23-46 (2022). doi: 10.1080/14636778.2021.2007065 (discussing the challenges a healthcare system faced following the identification of genetic variants from 75 deceased pancreatic cancer patients who were not asked to provide authorization to disclose information to at-risk relatives and who did not explicitly give consent for familial disclosure prior to their death). gory mistake. Distinct frameworks typically apply to clinical ethics and public health ethics-a public health ethics framework often emphasizes solidarity and the public good, whereas clinical ethics often emphasizes individual autonomy 64 -and who has access to a patient's data might seem like it belongs in the latter category. Yet, although genetic information comes from the proband's body, it does not pertain to her alone. For instance, when Iceland created a national biobank, the Supreme Court held that a daughter had standing to contest the inclusion of her deceased father's genetic information, since strong inferences about her could be made on the basis of 'his' information. 65 Relatives can not only be harmed by their relatives' genetic information, as the Iceland case suggests; they can also benefit-even have their lives saved-as Traceback programs show. More broadly, as the practice of medicine becomes more anticipatory 66 (rather than merely reactive), health care and public health are coming into closer alignment, with a shared preventative focus and, perhaps, a shared ethics. A similar pattern can be seen in the new concept of the learning health care system, 67 in which every patient encounter is an opportunity to learn for the benefit of the whole, and low-risk data collection and intervention for learning purposes is frequently done without consent. 68 On the other hand, to those for whom the idea of a public health approach to genetics is attractive, we note a few cautions. First, although there are compelling reasons for public health, learning health system, and other data surveillance activities to be carried out regardless of an individual's permissions or objections, 69 there are differences between traditional public health surveillance and Traceback programs that should give pause. First, and most obviously, although genetic conditions are 'communicable' via procreation, they typically do not spread at the scale of many viral diseases. 70 Disclosing the proband's genetic information to their relatives without their consent-or over their objections-is also likely to disrupt family relationships. This is not true of many communicable diseases subject to named reporting-though it is notably true of sexually transmitted diseases and other communicable diseases that spread through intimate contact tracing. Genetic information might be regarded as different than other kinds of information, 71 and it is important to avoid programs that might unreasonably interfere with healthcare access or further undermine public trust in public health measures. 72 In addition, reframing genetic conditions as akin to 'infectious diseases' might exacerbate the guilt that some people already feel upon learning that they have a variant that they might have passed on to their child or other relative.
Finally, it must be acknowledged that genetic privacy 73 and medical privacy preferences more generally are growing amidst concerns regarding datafication, dataveillance, and data justice 74 and amidst the chilling effects already observed following the U.S. Supreme Court's decision in Dobbs v. Jackson's Women's Health Organization 75 that abandoned long-standing judicial recognition of a constitutional right to privacy at least as it would pertain to pregnancy termination decisions. With informational privacy law in a constant state of flux and uncertainty, it is unlikely that broadening any exception to the HIPAA Privacy Rule to enable increased data use and disclosures would garner strong political support at this moment in time.
We turn now to the three broad scenarios involving non-consensual disclosure of proband information to at-risk relatives. In the first and second scenarios-the proband is deceased or alive but unreachable through all reasonable means and is not known to object to disclosure-although the privacy interests of the surviving relatives support ongoing duties limiting the use and disclosure of health information even after a proband's death, 76 when the information is used in Traceback programs, surviving relatives also stand to directly benefit from disclosure of genetic risk information. 77 If there would have been an ethical duty-based in beneficence and nonmaleficenceto warn the proband in such cases, 78 arguably the beneficiary of that duty becomes the at-risk relatives when the proband is unavailable. Indeed, some courts have found that a provider's duty to warn of heritable risks runs to identifiable at-risk relatives. 79 And when probands are not known to object to disclosure, the health interests of these at-risk relatives likely outweigh the risks of disclosure associated with the proband's confidentiality interests. However, consistent with broad HIPAA principles, healthcare providers should use and disclose the minimum information necessary to warn at-risk relatives and encourage the uptake of cascade genetic testing. 80 The third scenario-in which a health system overrides a clear, capacitated 'no' from a proband to disclose genetic risk information-is of course the hardest among the fact patterns to ethically justify. Confidentiality and respect for the patient's autonomy are central to the relationship between a genetic counselor and patient, and unilateral disclosure could undermine trust, cause a contentious and abrupt end to the relationship, and have a chilling effect on other individuals' willingness to undergo genetic testing of any kind (or, more broadly, to candidly share vital health-related information with providers).
Nevertheless, we agree with the Presidential Commission, 81 a National Academies committee, 82 and an American Society for Human Genetics subcommittee 83 that in some cases, disclosure to at-risk relatives over the objections of the proband is ethically preferable to the alternative. Like these other commenters, we believe whether dis-closure is ethically prohibited, permissible, or obligatory depends on multiple factors, including: (a) the magnitude of risk to relatives if they are variant-positive, (b) the degree to which that risk can be mitigated through disclosure, (c) the reasons for the proband's refusal to disclose, (d) whether disclosure is likely to cause harm (e.g., to the relative, to the proband, to their relationship, or to others), (e) whether the provider could instead point to evidence in the relative's own medical or social history (as opposed to the proband's genetic results) to encourage genetic testing, and (f) whether disclosure could be made without revealing the identify of the proband. If the assessment favors disclosure, procedurally, a Traceback program would include steps (i) to document that reasonable efforts to convince a proband to share genomic risk information with the proband's at-risk relatives have been unsuccessful; (ii) to demonstrate reasonable sensitivity to any known reasons why the proband is resistant to disclosure to at-risk relatives; and (iii) to ensure that the minimum amount of PHI is disclosed to achieve the intended purpose.
Given our analysis of the ethical permissibility (at least in some cases) of a provider disclosing a proband's genetic results to at-risk relatives under all three scenarios, we therefore believe that the HIPAA Privacy Rule's PHE should be leveraged ethically and transparently to advance the goals of Traceback programs to reduce morbidity and mortality associated with heritable cancers and many other conditions and diseases. This pathway could help the United States achieve the prioritized goals of the Cancer Moonshot, 84 which include increasing opportunities for cancer screenings and expanding cancer-prevention approaches to improve health equity. 85 Ideally, a diverse set of experts would be convened to help identify the specific legal reforms and develop model language (both for satisfying the PHE's 'authorized by law' requirement in state law and for memoranda of understanding, or MOUs, documenting substantive and procedural aspects of public health activities undertaken by healthcare providing organizations) necessary for Traceback programs to be among the strategies pursued to advance prevention, detection, and treatment of cancer. Although institutional and state variation might occur with actual implementation, such guidance would be welcomed and help establish credibility in the endeavor. Such guidance could be developed through roundtable discussions engaging the Centers for Disease Control and Prevention's Office of Genomics and Precision Public Health; the U.S. Preventative Services Task  Once that occurs, there remain both substantive and procedural design considerations for Traceback programs intended to leverage the HIPAA Privacy Rule's PHE (reflecting that PHE would be a permissive but not mandatory pathway for disclosure), and the criteria for such Traceback programs should be delineated in institutional policy in advance. For example, although genetic cancer conditions have been our test case for exploring the contours of the PHE, conditions considered for inclusion on a public health reportable/notifiable conditions list should not, in our view, be limited to cancers. Traceback programs should be evidence-based and attuned to equity, so it would be reasonable to encourage inclusion of all CDC Tier 1 conditions. 86 A recent review has highlighted the benefits of population screening for hereditary breast and ovarian cancer, Lynch syndrome, and familial hypercholesterolemia in particular. 87 Although the American College of Medical Genetics and Genomics (ACMG) list for reporting secondary findings of clinical exome and genome sequencing is not intended to be a substitute for either diagnostic testing based on clinical criteria or population screening, the medically actionable genes on the current ACMG list 88 have undergone ample vetting to be considered appropriate for Traceback programs.
Procedural considerations include, for example, setting out steps that healthcare providers must take (as a matter of institutional policy rather than a legal requirement) prior to direct disclosure to the at-risk relatives, particularly if the disclosure is occurring because of active or passive nondisclosure by the proband personally. If health equity is a prioritized feature (as it should be), prior to implementation, Traceback programs also need to take into account the downstream implications for those at-risk relatives (e.g., logistics and out-of-pocket impacts to obtain the genetic testing encouraged; community receptivity to testing; local/state legal protections from discrimination in life, disability, long-term care insurance, and other social settings; etc.) 89 and devise a strategy for ensuring that, at a minimum, the informational needs can be met.

V. CONCLUDING REMARKS
Traceback programs are particularly important for addressing ovarian cancer and similar serious genetic conditions. Extensive efforts are underway to identify barriers and facilitators for multi-state Traceback programs, including legal, communication, and other programmatic issues. 90 At present, those implementing Traceback programs and needing to navigate the complex and ever-changing legal landscape for genetic and health information privacy may, as a starting point, consult this and prior scholarship on acceptable patient-mediated and provider-mediated approaches under HIPAA 91 and review the LawSeq SM database 92 and ELSIhub resources. 93 Even if cascade genetic testing legally must-or for other reasons should-continue to be mediated by the proband, there nevertheless might be ways of improving uptake. For instance, there is some early evidence that technology such as mobile apps 94 or chatbots 95 might be useful in increasing uptake of cascade testing. One commonly cited reason why probands refuse to participate in cascade programs is that they are estranged from, or otherwise do not feel comfortable communicating with, the relevant family member(s); 96 in such cases, these tools' relative lack of intimacy compares to in-person or telephone conversations might be an advantage. Technology also provides a scalable way to disseminate expert genetic counselor-developed information to at-risk relatives, which can alleviate probands' concerns that they do not know what to say. 'Nudges' and other interventions informed by behavioral science-such as exposing probands to positive stories of cascade testing or to information that most probands find it